Rootkit

A rootkit is a collection of tools or kernel/firmware components designed to give an attacker persistent, high-privilege access while concealing files, processes, registry keys, and network connections from defenders. Rootkits operate at different levels: user-mode (hooking APIs), kernel-mode (modifying the kernel), bootkit (boot loader), or firmware (UEFI/BIOS). They are typically dropped after initial compromise to maintain long-term presence and frustrate forensic analysis. Detection requires memory forensics, integrity verification, secure boot, EDR with kernel visibility, and offline scans. Mitigations include UEFI Secure Boot, signed drivers, vTPM-based attestation and minimizing kernel-mode software.